Cmpilatopublished

**Name of the Vulnerable Software and Affected Versions** ViewVC versions prior to 1.2.3 ViewVC versions prior to 1.1.30 **Description** ViewVC is a browser interface for CVS and Subversion version control repositories. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names, which themselves can be challenging to create. **Recommendations** For versions prior to 1.2.3, update to at least version 1.2.3. For versions prior to 1.1.30, update to at least version 1.1.30. For ViewVC 1.0.x, edit the ViewVC EZT view templates to manually HTML-escape changed path "copyfrom paths" during rendering by wrapping references to `[changes.copy path]` with `[format "html"]` and `[end]`. This workaround should be reverted after upgrading to a patched version of ViewVC.

**Name of the Vulnerable Software and Affected Versions** ViewVC versions prior to 1.2.2 ViewVC versions prior to 1.1.29 **Description** The issue is a cross-site scripting vulnerability that affects ViewVC, a browser interface for CVS and Subversion version control repositories. The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a Subversion repository exposed by an otherwise trusted ViewVC instance. The attack vector involves files with unsafe names, which themselves can be challenging to create. **Recommendations** For versions prior to 1.2.2, update to at least version 1.2.2. For versions prior to 1.1.29, update to at least version 1.1.29. For ViewVC 1.0.x, edit the ViewVC EZT view templates to manually HTML-escape changed paths during rendering by wrapping references to changed paths with `[format "html"]` and `[end]`. For most users, this means changing `[changes.path]` to `[format "html"][changes.path][end]`. This workaround should be reverted after upgrading to a patched version of ViewVC.

**Nome do software vulnerável e versões afetadas** Versões do ViewVC anteriores à 1.1.28 Versões do ViewVC anteriores à 1.2.1 **Descrição** O problema está relacionado a uma vulnerabilidade XSS no suporte ao CVS show subdir lastmod. O impacto dessa vulnerabilidade é mitigado pela necessidade de um invasor ter privilégios de commit em um repositório CVS exposto por uma instância do ViewVC, que de outra forma seria confiável, mas que também tenha o recurso `show subdir lastmod` habilitado. O vetor de ataque envolve arquivos com nomes inseguros, que por si só podem ser difíceis de criar. **Recomendações** Para versões anteriores à 1.1.28, atualize para a versão 1.1.28 para resolver o problema. Para versões anteriores à 1.2.1, atualize para a versão 1.2.1 para resolver o problema. Como solução alternativa temporária, considere desativar o recurso `show subdir lastmod` até que um patch esteja disponível.